View/Open

Date

Author

Metadata

Abstract

Current client-server applications such as online banking
employ the same client-side software stack to handle information
with differing security and functionality requirements,
thereby increasing the size and complexity of software
that needs to be trusted. While the high complexity of
existing software is a significant hindrance to testing and
analysis, existing software and interfaces are too widely used
to be entirely abandoned. We present a proxy-based approach
called FlowGuard to address the problem of large
and complex client-side software stacks. FlowGuard’s proxy
employs mappings from sensitiveness of information to
trustworthiness of software stacks to demultiplex incoming
messages amongst multiple client-side software stacks. One
of these stacks is a fully-functional legacy software stack
and another is a small and simple stack designed to handle
sensitive information. In contrast to previous approaches,
FlowGuard not only reduces the complexity of software
handling sensitive information but also minimizes modifications
to legacy software stacks. By allowing users and service
providers to define the mappings, FlowGuard also provides
flexibility in determining functionality-security tradeoffs.
We demonstrate the feasibility of our approach by implementing
a FlowGuard, called BLAC, for https-based applications.
BLAC relies on text patterns to identify sensitive
information in HTTP responses and redirects such responses
to a small and simple TrustedViewer, with an unmodified
legacy software stack handling the rest of the responses. We
developed a prototype implementation that works with a
prominent bank’s online banking site. Our evaluation shows
that BLAC reduces size and complexity of software that
needs to be trusted by an order of magnitude, with a manageable
overhead of few tens of milliseconds per HTTP
response.